Researcher Set to Disclose Chrome Zero-Day

Georgian researcher Ucha Gobejishvili plans to disclose a previously unknown security hole in Chrome at the MalCon hacking conference in New Delhi, India, on Saturday, according to a summary of talks posted on the MalCon website. Gobejishvili's talk, titled "Project Calypso, Art of Infection," will cover browser exploitation methodologies and focus on the zero-day, according to the summary.

Google shells out a decent chunk of change each quarter to security researchers who find vulnerabilities in its Chrome Web browser. So when a security researcher claiming to have found a zero-day in Chrome forgoes the payout, the big question becomes, "Why?"

Georgian researcher Ucha Gobejishvili plans to disclose a previously unknown security hole in Chrome at the MalCon hacking conference in New Delhi, India, on Saturday, according to a list of talks posted on the MalCon website. Gobejishvili's talk, titled "Project Calypso, Art of Infection," will cover browser exploitation methodologies and focus on the zero-day, according to the summary.

In an online chat session with Security Ledger, Gobejishvili said the zero-day was a "critical vulnerability" in a DLL file. If exploited successfully, the vulnerability would allow a remote attacker to push and run a malicious executable file to the victim's computer. While the demonstration would be on a Windows machine, it could potentially work on other platforms.

"It has silent and automatically (sp) download function…and it works on all Windows systems" Gobejishvili told Security Ledger.

Not Interested in the Money?While many researchers disclose vulnerabilities directly to the vendor, many others chose to sell the proof-of-concept demonstrating the security flaw to various exploit brokers and intelligence agencies. Researchers reportedly make more money through the vulnerability market than they would through a company's bug bounty program. In this case, however, Gobejishvili does not appear to be working with an exploit broker.

Gobejishvili will demonstrate the exploit at MalCon and have a general discussion about the flaw, but he does not intend to release the source code of his proof-of-concept.

"I know this is a very dangerous issue…that’s why I am not publishing more details about this vulnerability," he said during the chat session.

At the moment, researchers who can demonstrate a "Full Chrome exploit" on a fully patched Windows 7 system running the latest version of the Web browser can collect $60,000 in bug bounty money. A "Partial Chrome Exploit," which uses at least one bug to get user access, is worth $50,000. A security researcher can earn $40,000 with a successful attack on a "Non-Chrome exploit" via Windows or Flash.

In fact, Google just recently paid $60,000 to a hacker "Pinkie Pie" for successfully exploiting two native Chrome vulnerabilities in order to circumvent the application sandbox in Chrome. The company patched the flaw within 24 hours.

Gobejishvili had not previously contacted the company about the issue, a Google spokesperson told Security Ledger. Despite Gobejishvili's assertion that Google "knows that they have issue in chrome product," the search giant appears to be playing the same wait-and-see game as the rest of us waiting for news out of New Delhi.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »